In a previous article, I wrote about the importance of valuing your smart contract audit correctly—how its cost should be determined, what you should be looking for, etc.—and the importance of knowing that the auditor you’re working for has the bona fides to demonstrate that they’re up to the task. One of the most important indicators that your smart contract auditor is reliable, diligent, effective and honest is their reputation.
The problem with reputation is that it's kind of a nebulous concept. Consider this: Every so often, the media catches wind of a lesser-known auditor releasing thousands of reports with a very small team. Word spreads, and their client list grows exponentially. Eventually, the demand becomes too much to handle, and the quality of their reports takes a nosedive.
Another issue is that there is a slew of auditors, even relatively green ones, who are perfectly content to refer to themselves as a “Top 5 Worldwide Auditor” (or some variation on this theme). In other industries, there are reputable lists produced by outside evaluators, wherein an appearance in the “Top X” is a meaningful designation; however, fewer of these vetted lists exist in our industry, which makes verifying an auditor’s self-proclaimed status somewhat of a challenge.
As you can see, it’s important to remember that media coverage does not inherently speak to the quality of an auditor, or to their process.
The mark of a high-quality auditor who will do a great job with your project has less to do with the auditor as a solo entity and more to do with the relationship between client and auditor. This is reflected by the client’s involvement in the process. Often, auditors just call the client’s attention to the errors in the code. This is something of a shortcut, and the results are often undesirable.
To truly detect any mistakes that affect the business logic of the contract, you have to study the project—the idea, the documents, etc. This requires another level of communication with the client. Often, there are mistakes within the business logic itself: People who create web3 projects don’t really get into new paradigms, so helping them out with building decentralized logic is pretty much a matter of “good manners” for an auditor.
So, how do you know if your auditor is someone who exhibits these “good manners?”
I sometimes joke that it’s like buying boots. Check the quality. I would read two, three, maybe even five reports from this auditor, studying what they comment and suggest. If the data in the report is superficial, something anyone could obtain, this should raise questions. But admittedly, for this type of evaluation to be effective, you have to have a certain level of expertise with smart contracts.
A simpler approach is studying reviews in the community, but it’s important to keep in mind that these can be falsified. So it’s also important to look at the results of their audits. Were these projects successful, or did they run into landmines? The outcomes are the best reflection of the auditor’s work.
It might also be useful to look at their training. There are courses and even whole academies dedicated to teaching smart contract auditors. These can be independently run or work with known auditor companies.
Lastly, you should also check to see what information the auditor is putting out into the ecosystem. A good auditor is keen to share knowledge and results openly, whether that occurs through a blog, channel, interviews or conference presentations. Quality auditors invest time in spreading awareness and information. They actively work to show potential clients that they have high standards and that they practice what they preach.
Two signs that should concern you, when shopping for an auditor, are low prices and speedy work. As in many industries, when an offer seems too good to be true…it probably is. If the report costs $200 and is ready in a day, what does that tell you about the person behind it?
But, occasionally, even the best-trained, most scrupulous auditor can miss something. It’s just a reality of the industry. This can result in reputational damage, even if that’s not an entirely accurate or fair way to evaluate an auditor’s work.
Some auditing companies have an insurance fund that is used to compensate clients for lost assets that in some way stem from a failure in the audit. They may also refund the money if it’s demonstrably clear that the job wasn’t done properly—but that’s a sensitive matter, since it’s often not easy to determine whether a job wasn’t “well done.” For instance, if the auditor finds five out of six serious issues, is that good? What if the sixth issue is the one causing all the problems?
There’s not always a simple answer to the question of whether the audit is “at fault” when something goes awry. In many ways, auditing is like research—no matter how hard you pore over the text, you always can miss something. Good auditors accept this risk and reality as a part of our business, and do not present themselves as infallible; they learn from their mistakes and use these learnings to improve the quality of their work.
Lastly, ethical issues are always present in an auditor’s work. Some auditors will look the other way and let an issue through to keep the client happy. And some might even offer bonuses for keeping a vulnerability quiet. These are, for obvious reasons, considered unethical practices in our industry.
An auditor with integrity will stand with the users of the project, shining a light on all the issues that could cause problems, even if that isn’t the path that will benefit them personally in money or expedience. Their reputation depends on it. They know that those who choose financial gain over integrity will not have long-lived auditing careers. Siding with and protecting the users is ultimately the imperative.
Also published here.